Sage CRM 2021: IP Address Checking and Session Cookies

I have written about the installation and configuration of system security in a couple of articles.

Essentially the security of a Sage CRM is focused around the decisions that you make around installing a secure system and then its configuration.

A System Administrator has great responsibility for the secure configuration of the application. This covers the user password policies and control of data access through the territories and security profile. And it also covers the access to individual fields and access to types of features such as mail merge and the export of data.

And security choices are made as the product is installed. Much of these choices are common to all web based application. An organisation can control access using a Firewall and/or a VPN. The encryption of communication through the use of HTTPS / SSL is another choice to be made and then implemented.

There are two levels of checking available in Sage CRM; IP Address Checking and Session Cookies

You may have seen the error message "IP Address Mismatch" which requires a user to log on again.

This message refers to the Client IP check that is performed by Sage CRM which means that all client requests during a session come from the same IP address.

Depending on how the client is connecting (through a firewall, DHCP, proxy etc) if the client IP address may then not be static and so user may experience this message.

You can switch this checking off on the CRM server by changing the IPAddressChecking flag in the registry to 'N'

Turn this off however and it potentially reduces the protection against 'spoofing' of a session. If someone has the same session ID but there is no IP check then another machine to by pass a security check.

Sage CRM has another option "Use browser session security".

You can find this in

Administration -> System -> System Behaviour

This option complements the IP Address Checking.

IP Address checking:

If a request is received from a user session that comes from a different IP address to that used at the start of that user session then the user is kicked out. If you turn this off, no checking on the IP Address happens, so a SID can be copied and pasted and reused from a different computer while that sessionid remains valid.

Browser Session Security:

A 'second' SID is stored as a browser cookie, and passed in on the headers (not in the url). If that Browser Session ID changes, then the user is kicked out. This feature requires that cookies are enabled on the browser. The cookie used is only valid for the duration of the user and browser session.

This is complementary as if the Browser Session Security is used BUT IP Address Checking is switched off then spoofing is prevented because although you may have the URL SID you would not have the addition SID within the cookie.

This also means that you can't be working on your machine in chrome, copy the URL and then paste into Edge or Firefox because these will use a different cookie store.

  • My personal experience of these settings is that when customers access CRM over the open internet via an externally available URL like is that the IP address checking should be disabled and the browser session security needs to be no otherwise you will just get hit with support queries about "IP address mismatch" errors and randomly being booted out. Certainly more prevalent now that many people work from home and also a lot of customers don't set up VPNs for CRM. My recommendation is that they do use a VPN and access the internal name rather than an external one, but most want the external option... so both options now just get turned off as a matter of course.